How-to: Use aws-vault to assume a role across AWS accounts

This article will show you how to assume a role and perform aws-cli commands in one account after authenticating via a user in a trusted account (e.g. using the Identity Account pattern).

This article is the third and final in a series of instructional posts regarding the aws-vault tool. If you haven’t already, please see the first which describes manage AWS credentials securely and the second which describes configuring and assuming a role in a single AWS account.

Step-by-step guide

The goal of this example is to execute a command in a functional, production account using the trusted credentials of non-functional, identity account.

Finally, rerun the same commands from Step 4 to verify that the output is the same. The significant difference is that the production profile now assumes the role via the trusted identity account when running the aws s3 ls command.

Learn DevOps & Cloud Practices

Learn how to design, build, and operate systems in the Cloud one day and concept at a time. Receive #NoDrama articles in your inbox whenever they are published. Reply to Stephen and the QualiMente team when you want to dig deeper into a topic.